WhatsApp Leaks User Metadata to Attackers

ENDPOINT SECURITY MOBILE SECURITY VULNERABILITIES & THREATS CYBER RISK NEWS WhatsApp Leaks User Metadata to Attackers Strangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity. Nate Nelson,Contributing Writer April 20, 2026 7 Min Read SOURCE: STLEGAT VIA ALAMY STOCK PHOTO Tal Be'ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn't share this information with him. All he had was my phone number. I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he'll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn't require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp's own design choices. Dark Reading contacted WhatsApp in the process of reporting this story. The company made no official statement but did confirm the details of Be'ery's findings and alluded to mitigations it's been working on to address the areas of his research WhatsApp deems significant. Related:Two-Factor Authentication Breaks Free from the Desktop Silent Pings In 2024, Austrian researchers described a series of ways that WhatsApp users can send recipients application-layer messages that don't actually show up on the victim's device. With a custom program plugged into the WhatsApp Web protocol, one could, for instance, send a reaction to a message that doesn't exist. Nothing will happen in the recipient's app, but the sender will still be able to infer if they were active and online, based on the time it takes to get a delivery receipt in return. Presumably, if an attacker used such a program to constantly, silently ping a recipient's device, they could paint a picture of their victim's online habits when their victim is online — their sleep or work schedule, when they might be primed to receive the right kind of phishing message, etc. — or perform a resource exhaustion attack, draining the recipient's battery slowly without their knowing why. It's even easier to find out what kinds of devices a victim is using, thanks to a quirk in WhatsApp's flagship security feature. The app provides end-to-end encryption for all chats, to the extent that even WhatsApp itself cannot pry into your texts. To make that happen, each device registered to one's WhatsApp account has its own "fingerprint": private key material and an ID, which differ depending on the underlying operating system (OS). When a sender triggers a new chat with a recipient, behind the scenes, they receive the key material and IDs for the devices that recipient has registered with WhatsApp. Ipso facto, by merely adding a victim to one's contact list — an action that does not alert the victim in any way — an attacker can learn what kinds of devices they use WhatsApp on. Related:Microsoft's Original Windows Secure Boot Certificate Is Expiring "With end-to-end encryption, if someone attacks WhatsApp's servers, they cannot read your data, and even WhatsApp cannot read your data. But the flip side of this coin is that WhatsApp also cannot protect you," Be'ery explains. Device information might not sound interesting, and WhatsApp isn't the only messaging system that leaks it. Apple's iMessage does so much more visibly, in fact, via its famous blue and green text bubbles. Be'ery's security report on this subject did not meet WhatsApp's threshold for generating a CVE, but the researcher argues that device fingerprinting is useful to bad actors. At the benign end of the spectrum, companies could use that kind of information to perform surveillance pricing. "You're a potential customer, and I need to know what price to suggest to you. So I have a tell. Maybe you're willing to pay more because you're an iPhone user, and you also have an iPad, and not cheaper Android-based devices." Related:Orange Business Reimagines Enterprise Voice Communications With Trust and AI In the shady world of spyware, powerful threat actors need to ultra-tailor their attacks to specific operating systems. Armed with this knowledge, nation-states can purchase and deploy tools tailored to their specific targets' devices. In his experiments on me, Be'ery went one step further: He sent a message to my desktop, which never arrived on the other devices on which I have WhatsApp installed. "A properly implemented client would have sent it to all three of the devices. But with a rogue client, then I can send to just one, and if I had a Web exploit, then I would send it to just that device," he explains. WhatsApp's Core Problem If an unrecognized number has ever sent you a WhatsApp message simply saying "Hi" without elaborating, or added you to a huge group chat about cryptocurrencies, you'll know that there's nothing standing in between you and the bad actors of the world on Meta's chat app. Any WhatsApp user can message any of its other 3.5 billion users, so long as the sender knows — or guesses — the right phone number. "From a product perspective, of course it makes a lot of sense," Be'ery acknowledges. "Initially, when you're a small company, before you build your network effect, you don't want to have any friction. You want people to talk to each other." Even compared to other social apps, though, it's highly permissive. "On social networks like LinkedIn or Facebook, I can only get messages from people within my contacts list. And there is a way like a minimal interface for requesting to connect, which cannot contain all kinds of weird data. So it's much more limited, and this creates a much lesser attack surface," Be'ery explains. WhatsApp's open policy about who can contact whom is what enables Be'ery to track this reporter's online habits, pig butchers to frictionlessly reach your parents, and governments to attack dissidents and journalists with 0-click spyware. Although in the latter case, targets who know they're targets can enable WhatsApp's new "Strict Account Settings" feature, at some cost to their user experience. Does WhatsApp Need To Be Fixed? Thus far, Meta hasn't been interested in changing such a fundamental feature of its application logic, for such reasons as Be'ery suggests. Instead it's been working around the problem with features like "Silence Unknown Callers," rate limiting, and more microscopic fixes. Right around the beginning of the year, for instance, Be'ery noticed that the means by which he could fingerprint Android devices running WhatsApp no longer worked. Because iPhones still leak sufficient metadata, and there isn't a third major mobile OS, the outcome is moot for now. In general, partly in response to Be'ery's research, the developers have quietly been eliminating some means of sending silent pings. Be'ery takes issue with this approach. "They're going message type by message type. It's a bit of a whack-a-mole. There are dozens of kinds of 'messages': live location, audio-related, all kinds of media-related, polls, etc. Every new feature is a new kind of method [for silent pinging]. So it's much harder," he says, than simply shielding users from strangers like social media platforms do. "WhatsApp is great," he acknowledges. "I think its end-to-end encryption is much better than what you get, let's say, over Gmail, in which Google is reading your emails because there is no encryption. Having said that, with great power comes great responsibility. I think if only your peers or pre-approved other clients can reach you, then it changes everything. The whole environment would be much safer." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! Read more about: Black Hat News About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like ENDPOINT SECURITY Pro-Russian Hackers Use Linux VMs to Hide in Windows by Alexander Culafi NOV 04, 2025 ENDPOINT SECURITY Chrome Store Features Extension Poisoned With Sophisticated Spyware by Elizabeth Montalbano, Contributing Writer JUL 07, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE